Policy | Security | Investigation

August 07, 2008

Payment Card Issuers Over-reacted to TJX

Federal Trade Commission Misunderstands Card Data Privacy.

Rethink PCI Law.

The TJX credit card data break-in is reputed to be the largest in history. On the heels of the incident, many credit card issuers replaced cards believed to be compromised. To replace cards is expensive (not to mention disruptive to consumers), and many card issuers demanded, through lawsuits and otherwise, that TJX reimburse them. December 2007 TJX settled one class action lawsuit with issuers of affected VISA cards, agreeing to pay $41 million. Dow Jones Newswires, "TJX Gets Over 95% Acceptance Of VISA Settlement Agreement," December 20, 2007. May 2008 TJX said it had support for settlement with Mastercard issuers for $24 million.

The Federal Trade Commission concluded that TJX had maintained inadequate controls to protect credit card data and had therefore committed unfair trade practices. Consequently, the Commission has punished TJX by requiring it to adopt new controls (in the vein of the PCI - Payment Card Industry Data Security Standard) and file extensive paperwork with the government for years to show that the controls are in place.

That's the background. Now think about this . . . August 2008 federal authorities announced indictments of the ring of criminals at the heart of the TJX heist. The ring had stolen data from both TJX and many other retailers. According to authorities, the criminals used stolen data to withdraw tens of thousands of dollars at a time from automated teller machines. Their ATM withdrawals added up to hundreds of thousands of dollars.

Do you see an imbalance here? TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers canceled all those cards, they alarmed and inconvienced millions of cardholders to excess.

To be sure, a final accounting for the TJX fraud has not been made, at least to the public. However, public information suggests the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in.

In other words, the credit card issuer industry over-reacted. After being notified about TJX, the industry erupted in a spasm of card cancellations on the assumption that unauthorized access to data at a retailer is, per se, a catastrophic event. [The industry's total costs probably far exceeded $65 million, as TJX's settlements with the banks were perceived as "low" and a "bargain" for TJX. Regarding the VISA settlement, one industry expert said, "$40 million doesn't begin to cover the true exposure" to losses caused by card cancellations. Further, one lawsuit against TJX, led by Amerifirst Bank, continues because the bank contends the losses caused by card cancellations are much more than what TJX has agreed to pay.]

The Federal Trade Commission also over-reacted. The FTC marched to the notions that data security at a merchant is, in and of itself, paramount to protecting consumers and that a merchant perceived to have fallen short is a bad guy (a privacy infringer) who warrants government-sponsored punishment.

The knee-jerk reactions by card issuers and FTC failed to appreciate how robust the credit card system actually is. The multiform layers of controls in the system make it very hard and dangerous for criminals to capitalize on data stolen from a merchant.

The credit card industry needs new methods to make the reaction to a cyber attack balance with the magnitude of the actual risk. Card issuers could, for example, react to a hacker break-in with tighter software controls on suspect accounts, emphasizing fraud detection, foreign transaction blocks and enforcement of transaction limits.

[Update: According to USA Today October 23, 2008, the indictment for alleged hacker Albert Gonzales claims he amassed $1.6 million booty. Gonzales was allegedly central to a hacker ring that stole card data from many merchants, TJX being only one.]

[My videos allude to the memorable Dr. Evil, in the movie Austin Powers: International Man of Mystery. In the movie the melodramatic Dr. Evil (played by comedian Mike Myers) speaks this way to say he will hold the entire world ransom for a mere "one m-i-l-l-i-o-n dollars".] Another article I posted on TJX appears here.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

FWIW, the DoJ press release said that the accused withdrew tens of thousands of dollars at a time, not total. The latest number I saw for the first credit card ring is $8 million, and the DoJ indictment wants $20 million in forfeitures from Yastremskiy.

Jim: Thank you! You are absolutely correct about the tens of thousands of dollars at a time. I was mistaken. My original thinking came from USAToday, which did not say "at a time". I cited the US DoJ press release, but failed to read it carefully.

Thus, regarding the ATM withdrawals, it seems the hundreds of thousands of dollars figure is better.

Jim: Regarding the ring of thieves in Florida: The original criminal charges (circa March 2007) filed against the ring used the $8 million figure. However, later press reports like this one in the St. Petersburg Times, speak in terms of a lower figure, i.e., "more than $1-million". I appreciate your contribution to this discussion!

Tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. Yastremskiy et al. are tied to data thefts at many merchants, TJX being just one. Dollar figures tied to Yastremskiy mix TJX with other heists.

Criminal indictments like Yastremskiy’s are not conservative, CPA-audited financial statements. They are negotiation documents, written by prosecutors, i.e., advocates of the government’s position.

The forfeiture sought from Yastremskiy could easily count any given dollar more than once. He was a money launderer; he moved money around. The indictment (apparently) seeks all the money transferred in connection with him during certain periods of time.

Although you've made some good points here, I think you've missed some important ones too.

I'm a merchant advocate but I have no problem pointing the finger directly at TJX and the others. They were not PCI compliant and some areas of their security, wireless in particular, were shoddy at best. To make matter worse, there's ample evidence that they knew it and made the conscious decision to save money by not tightening up. Saved a bundle, didn't they!

I represent close to 3800 e-commerce merchants and I don't think that there was an over reaction at all. What you haven't taken into account is that this credit card information - which is now believed to be in the neighborhood of 90 million accounts - will be floating around for years in the carder chat rooms and bulletin boards that have been created to sell them one by one or in blocks of thousands. And every time one of them is successfully used on line for a purchase, the e-commerce merchant will suffer. He'll loose his money, his merchandise, his shipping fees and a chargeback fee. Chargeback fee, I assume you know, is the payment industry's term for a fine for being a victim of a crime.

The arrests and indictments that we know about so far may well be a drop in the bucket against those 90 million accounts. As you pointed out yourself, tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. The fact is that we'll never know how many dollars were lost, how many of those accounts were used, or how many will be used in the future. From an e-commerce merchant's point of view, every one of those accounts should be closed and new ones issued. And if TJX, et. al. have to pick up the tab, so be it.

When you know a criminal organization is in possession of your card data, it is safer to cancel the card immediately. Waiting for fraudulent charges to actually appear is not less expensive in the long run.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.